Firefox 85 crumbles cache-abusing supercookies with potent partitioning powers

Scorches Flash for the very last time, too

The Mozilla Foundation has scorched a pair of monstrosities in the new version 85 of its Firefox browser.

The big target is supercookies which, as explained by Mozilla privacy engineer Steven Englehardt and senior product manager for Firefox privacy and security Arthur Edelstein, are very nasty trackers indeed because they exploit best-practice browser behaviour to offer tracking that goes beyond both that allowed by “official” Cookies and privacy laws.

“Like all web browsers, Firefox shares some internal resources between websites to reduce overhead,” the pair explain, before offering up the Firefox cache as an example of this approach at work. “If the same image is embedded on multiple websites, Firefox will load the image from the network during a visit to the first website and on subsequent websites would traditionally load the image from the browser’s local image cache (rather than reloading from the network).”

Trackers have found ways to abuse these shared resources to follow users around the web

So far, so sensible. But also, so exploitable by the cynical.

“Unfortunately, some trackers have found ways to abuse these shared resources to follow users around the web. In the case of Firefox’s image cache, a tracker can create a supercookie by ‘encoding’ an identifier for the user in a cached image on one website, and then ‘retrieving’ that identifier on a different website by embedding the same image,” the pair write.

Firefox 85 fights back by using “a different image cache for every website a user visits.”

This approach preserves the benefit of caching because files are still stored locally. But critically Firefox no longer shares caches across sites.

Englehard and Edelstein identify eleven caches - HTTP cache, image cache, favicon cache, HSTS cache, OCSP cache, style sheet cache, font cache, DNS cache, HTTP Authentication cache, Alt-Svc cache, and TLS certificate cache – that they needed to address.

But that’s not all they needed to change. “Firefox would reuse a single network connection when loading resources from the same party embedded on multiple websites,” the pair wrote. While this approach would avoid the need for extra TCP handshakes as browsers reach for different resources, sustaining a single network session enabled user tracking.

Verizon fined just $1.4m for stalker supercookies


Firefox 85 therefore “partitions pooled connections, prefetch connections, preconnect connections, speculative connections, and TLS session identifiers.”

The two Mozillans admit that this new approach does impact page load time but rate the hit as “very modest” as it delivers “between a 0.09% and 0.75% increase at the 80th percentile and below, and a maximum increase of 1.32% at the 85th percentile.” The pair say that’s about the same as similar protections coming real soon now to Chrome.

Indeed, the two authors sign off by thanking “colleagues in the Brave, Chrome, Safari and Tor Browser teams” for their own supercookie-crumbling efforts.

The second nasty killed in Firefox 85 is Adobe Flash, which release notes state has been so thoroughly dispelled that “There is no setting available to re-enable Flash support.”

Which is a fine idea because on top of Flash being a security nightmare, it was one more tool that supercookie-bakers used to create their evil trackers. ®

Keep Reading

Tech Resources

Apps are Essential, so your WAF must be effective

You can’t run a business today without applications—and because apps are critical to strategic business imperatives and commerce, they have become the prime target for attackers.

Three reasons you need a hybrid multicloud

Businesses need their IT teams to operate applications and data in a hybrid environment spanning on-premises private and public clouds. But this poses many challenges, such as managing complex networking, re-architecting applications for the cloud, and managing multiple infrastructure silos. There is a pressing need for a single platform that addresses these challenges - a hybrid multicloud built for the digital innovation era. Just this Regcast to find out: Why hybrid multicloud is the ideal path to accelerate cloud migration.

How backup modernization changes the ransomware game

If the thrill of backing up your data and wondering if you will ever see it again has worn off, start the new year by getting rid of the lingering pain of legacy backup. Bipul Sinha, CEO of the Cloud Data Management Company, Rubrik, and Miguel Zatarain, Director of Global Infrastructure Technology at PACCAR, Fortune 500 manufacturer of trucks and Rubrik customer, are talking to the Reg’s Tim Phillips about how to eliminate the costly, slow and spotty performance of legacy backup, and how to modernize your implementation in 2021 to make your business more resilient.

Top 20 Private Cloud Questions Answered

Download this asset for straight answers to your top private cloud questions.

Biting the hand that feeds IT © 1998–2021